Dashboards & Visualizations

Incorrect (extra) information in Bar Visalization in Dashboard

DigitalOverdriv
Engager

Hello! I have a dashboard with several visualization panels. One of these is linked to a search that pulls the Top 10 Source IPs by Log Activity.

index="index_name" $token.source.address$
|fields source_address 
|stats count by source_address 
|table source_address, count
|rename source_address as "Source IP", count as "Count"
|sort -Count
| head 10

 

The token, $token.source.address$, is set by a text box on the dashboard for the bar visualization below. However, in addition to the correct value being shown, there are often other incorrect values shown as well.

 

Dashboard - Top 10 Source IPs.png

There doesn't seem to be a pattern as to why this happens? Does anyone know why this may happen and how to correct it?

Thanks!

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
source_address=$token.source.address$

 It could be that the events that are being returned are where the $token.source.address$ value exists elsewhere in the event.

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
source_address=$token.source.address$

 It could be that the events that are being returned are where the $token.source.address$ value exists elsewhere in the event.

DigitalOverdriv
Engager

Thank you! This pointed me in the right direction! It turned out that the issue was that the token was somehow picking up the nat_source_address field as well.

 

 

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...